Are CAs keeping your mobile devices secure?

Cracks — such as arduous vetting and suspect certificate authorities — are starting to show in the digital certificate system, which authenticates the identity of websites that interact with our mobile devices. Here’s what you need to know to keep your network communications safe.

Buried deep within the Hillary Clinton email scandal is one tiny detail only cyber-security geeks can fully appreciate.

As the Washington Post reported, Clinton not only used a private email server as U.S. secretary of state; during her first two months on the job, she used one that wasn’t even protected by a digital certificate.

Admittedly, this isn’t remotely shocking compared with some of the stuff coming out of Donald Trump’s mouth. According to a cyber-security expert quoted in the Post story, however, the absence of a digital certificate suggests “anyone could have accessed” the emails coming out of Clinton’s computer at that time because they probably weren’t encrypted.

Digital certificates are crucial to ensuring trust and security on the Internet because they authenticate the identity of websites that interact with our mobile devices.

“A certificate can tell a device that a site is who it says it is,” said Andrew Blaich, a security researcher at Lookout Inc., who presented an entire session on certificates at the recent SecTor cyber-security conference in Toronto.

A website that doesn’t have a valid digital certificate could be run by hackers trying to pilfer your corporate accounts or hold your enterprise data hostage. Without certificates, authentication and encryption can’t happen online the way they’re supposed to.

Although Blaich didn’t mention Clinton’s Servergate fiasco in his presentation, he did raise some red flags about cracks that are showing in the digital certificate system. Here’s the lowdown.

Speed

Blaid said it can take up to 11 months for a site to get a certificate from a certificate authority (CA) like Google, Apple or Mozilla because the process includes verification, public discussion, formal approvals and … you get the drift.

Thorough, arduous vetting would seem like a good thing. Yet Blaich pointed out it also “takes a very long time for these things to be revoked.” So even if certificate holders have been hacked or caught doing very bad things, their sites can continue to operate online until the CA ecosystem finally deals with them.

Lack of automation

Big CAs maintain online lists of revoked or suspicious certificates so anyone can quickly check websites (or fellow CAs) that seem a little fishy. But since none of this is automated, the process is a code of honour sort of thing, meaning the onus is on users and other CAs to actively check for sites on those lists.

Users who do spot ‘bad’ sites sometimes have to manually insert code into their own systems to protect them, Blaich said. Because your IT department doesn’t have anything else to do, right?

Suspect CAs

Next year, Google and Microsoft plan to stop recognizing all digital certificates featuring the SHA-1 algorithm after security holes were found in it. CAs were asked to stop issuing new SHA-1 certificates after Jan. 1, 2016.

According to Mozilla, however, CAs WoSign and StartCom were not only caught issuing new SHA-1 certificates after the deadline, but also fraudulently backdated them to get around the restrictions. How trustworthy are certificates if you can’t trust the CAs issuing them?

Et tu, France?

Blaich also warned the SecTor crowd they shouldn’t always trust certificates issued by — wait for it! — national governments.

He wasn’t just talking about Kazakhstan’s bizarre attempt to force all its citizens to install a certificate allowing the government to spy on them via their devices. No, Blaich was referring to the likes of France, whose government-run CA issued unauthorized certificates for several Google domains in 2013. That means hackers could have used those domains to spoof valid Google addresses.

Since governments are allowed to fast-track their own CAs without third-party audits, Blaich said “there’s a lot of controversy over who owns the (government) certifications and what they’re doing with them.” No wonder Google and others have been calling for greater transparency in the certificate process.

People are still asking questions about Hillary Clinton’s private email server. And there should have been digital certificates on that server. Maybe we should be asking how well the digital certificate system is serving us, too.